Digital Privacy and the Illusion of Choice – The Tribune4 minutes read

My second op-ed on privacy, published in the August 20 issue of The Tribune. Original title: Digital Privacy and the Illusion of Choice. Link.

Unknown to many, the draft Personal Data Protection Bill (PDPB) and its harbinger the European General Data Protection Regulation (GDPR) are a crucial departure from how states have guaranteed privacy to their subjects. They mark a silent defeat against the pervasiveness of sensors that intrude our public and private lives, shifting the onus of accountability from the agents that produce to the agencies that consume.

It has become impossible to evade digital sweeps of observation, so much so that the absence of sensorial data makes you an obvious suspect for the security agencies.

Disconnecting from the grid has its own caveats – it was the peculiar absence of digital waste from the safehouse in Abbottabad where Osama bin Laden had been hiding that had caught the attention of the CIA. The spatial taxonomy that applied to our logical world like maintaining personal distance or being let alone has become extinct.

Collecting data is okay now but profiling individuals is not. The PDPB, too, by design or coincidence, assumes that the morality of identification could somehow compensate for the (il)legality of observation. It is a desperate effort to shift the fulcrum of law from observability to identifiability.

The very architecture of consent depends on defining what the observables are – say, Sensitive Personal Data (SPD) on biometrics, medical history, caste, gender, and sexual orientation, etc. But their distinction, and thus their compartmentalisation, is becoming increasingly nebulous.

The U.S. Defence Information Systems Agency is betting on gait recognition – the way we walk – to authenticate a person and the technology is commercially available. Samsung has applied for a patent that uses blood flow as a means of user verification. Everything, from the way we type, our swipe patterns to our voice can fall under the window of profiling.

The sensors need not be placed in a mobile or within the proximity of the subject. Authentication can now be accomplished from a fair distance. Even if new observables are constantly added to the list of the SPD, partial chunks captured across a spectrum of sensors could be used to identify an individual while still maintaining compliance with the law.

As ingenious methods of profiling come to light, the retrospective cleaning up of databases would become an exercise in futility as the information would have already been digested and excreted by the surveillance economy.

A cursory look at the rights of a Data Principal (a person as the producer of information) defined in the PDPB tells us how untenable they are in the present, and more so in the future.

A hacker may wake up livid one day to realise that the Right to Be Forgotten impedes political transparency – which is true. She could easily build an archiving system that crawls or crowdsources content in an anonymous fashion and feed it into a blockchain – a decentralised, irreversible and unalterable ledger. A machine that will never forget what you did last summer, even if it wants to, could just be a summer project executed in a basement.

Politwoops.eu is a portal that is already recording the deleted tweets of European politicians in direct violation of the GDPR. To maintain compliance, Twitter has recently forced many archiving websites to shut shop, but could this work at speed or scale? Leave aside forgetting, the U.S. could not even take Wikileaks offline for all these years despite launching a global witch-hunt. So potent is the availability of information in cyberspace that it is sometimes deemed as a cyberweapon.

The Right to Data Portability is largely aimed at keeping powerful monopolies like Facebook and Google in check. In the end, data monopolies thrive on monocultures – the prevalence of a single software or hardware architecture like Windows, Android, iOS, Qualcomm, and Intel, etc. Such mass-market platforms offer broad functionalities to the developers with barebones production costs – but their bloated feature-set means more vulnerabilities and vendor overreach.

Facebook is a data monoculture of the higher end. The Right to Data Portability would just liberate the social media and the web layers, from the countless many which the internet is made of. Most unknown observables pass under the radar through the numerous overlooked labyrinths.

In an industry where every vendor assumes the worst in the other, running data dragnets with impunity becomes a healthy competition of sorts. No matter where you port your data, the underlying Qualcomm chips, which power billions of mobile devices, may very well capture and relay your location activity to hedge funds or other interested parties. Data portability, too, is an illusion of choice.

The demarcation between functionality and surveillance is eventually going to disappear. As companies become the new countries, our social contract will be recalibrated to insert ‘utility’ between the dyad of privacy-security. Profiling would be legitimised as an essential service. The law may provide a moral direction, but it cannot address the systemic weaknesses of cyberspace. Stemming from the decentralised nature of the internet, these limitations are beyond the reach of any single government.

Cyber geo-strategy does not exist as a formal discipline in India. This blog takes a shot at it.

It also curates Pukhraj's publications on cybersecurity spanning a decade. His bylines have appeared in The Indian Express, The Tribune, Deccan Herald, The Print, Huffington Post, BW BusinessWorld, The Quint, and Seminar.

Pukhraj was also recognised as a social activist while running Abroo, a now-defunct sociopolitical initiative for the Dalits of Punjab.